Is DKIM domain alignment mandatory if SPF is already aligned for DMARC?

No, not necessarily. For DMARC alignment to pass, your From: header domain must align with either the SPF domain or the DKIM domain. While DKIM signing is required, DKIM alignment itself is only one of two paths to DMARC alignment.

What specific DMARC policy is required by Google and Yahoo?

For bulk senders, both Google and Yahoo require a DMARC policy to be published for your sending domain. This policy must include a mechanism to report on authentication failures and specify how receiving servers should handle non-compliant mail (e.g., p=none , p=quarantine , or p=reject ).

How do I ensure SPF and DKIM domains align with my 'From' header?

The domain in your From: header (the domain your recipients see) must be the same as, or a subdomain of, the domain used for either your SPF authentication (the Return-Path domain) or your DKIM authentication (the d= tag in the DKIM signature).

Do tracking links or unsubscribe links need to be DKIM aligned?

While it's a good practice for overall brand consistency and deliverability, Google and Yahoo's requirements primarily focus on DMARC alignment of the From: header domain. Tracking links are not explicitly required to align with your DKIM signing domain for compliance, but ensuring List-Unsubscribe is DKIM signed is important.

Is DKIM domain alignment required for Google and Yahoo's new email sending requirements? - Technical - Email deliverability - Knowledge base

The email landscape underwent significant changes with Google and Yahoo's new email sending requirements, particularly for bulk senders. A common question that arose was whether DKIM domain alignment is now a strict requirement for all outgoing mail. It's a critical point to clarify, as misunderstanding can lead to deliverability issues (or even blacklists), missed opportunities, and wasted effort.

My goal here is to demystify these requirements and provide a clear understanding of what DKIM domain alignment means in the context of these new guidelines. We'll explore the nuances between what is absolutely required and what constitutes a best practice for optimal inbox placement.

Suped DMARC monitoring

Free forever, no credit card required

Learn more

Trusted by teams securing millions of inboxes

DKIM, SPF, and DMARC alignment explained

Before diving into alignment specifics, it's helpful to quickly recap DKIM and DMARC. DKIM (DomainKeys Identified Mail) is an email authentication method that uses a digital signature to verify the sender of an email and ensure that the email content hasn't been tampered with in transit. It adds a layer of trust, letting receiving servers know that the message truly originated from the claimed domain.

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds upon SPF and DKIM. It provides instructions to receiving mail servers on how to handle emails that fail authentication checks, and it also offers a reporting mechanism for senders to gain insight into their email streams. For an email to pass DMARC, either its SPF or DKIM checks must pass and also align with the domain in the From: header. This concept of alignment is key to DMARC's effectiveness in preventing email spoofing and phishing.

In essence, DMARC alignment means that the domain found in the email's From: header (the one users see) must match or be a subdomain of the domain used for either the SPF check (the Return-Path domain) or the DKIM check (the d= tag in the DKIM signature). This is the crucial part for Google and Yahoo, as they both require DMARC enforcement.

The importance of DMARC alignment

Google and Yahoo are enforcing DMARC as a cornerstone of their new policies. This means that if your emails don't pass DMARC alignment (via either SPF or DKIM), they are at a much higher risk of being rejected or sent to the spam folder. Understanding this is fundamental to ensuring your emails reach their intended recipients.

Google and Yahoo's specific requirements

For senders to Google and Yahoo, the main takeaway is that DMARC authentication with alignment is now mandatory for certain sending thresholds. This means your emails must be authenticated by either SPF or DKIM, and the authenticating domain must align with the From: header domain. If you are a bulk sender, both SPF and DKIM must be set up for your domain. It's not enough to just have them existing; they must pass authentication, and at least one must align.

Specifically for DKIM, every message you send must have at least one valid DKIM signature. The domain in this signature (the d= tag) needs to align with the domain in your From: header. This is the definition of DKIM alignment, and it's a direct requirement for DMARC to pass if you're relying on DKIM for alignment. If your SPF also aligns, then the DMARC requirement for alignment will be met.

One important clarification to note from the industry discussion, including insights shared in email communities like Word to the Wise, is that while the List-Unsubscribe header must be DKIM signed, its domain does not necessarily need to align with your d= domain. This helps maintain flexibility, especially when using third-party email service providers (ESPs) for unsubscribe links.

For a clear breakdown of specific requirements, here's a quick comparison:

Requirement Category	Google's Guidelines	Yahoo's Guidelines
Authentication (SPF/DKIM)	Mandatory for all senders, especially bulk. At least one must pass.	Strongly recommended for all, mandatory for bulk senders. At least one must pass.
DMARC Policy & Alignment	Required for bulk senders. Must pass DMARC alignment (From: header with SPF or DKIM).	Required for bulk senders. Must pass DMARC alignment.
DKIM Signature Presence	Required for all messages (at least one valid DKIM signature).	Required for all messages (at least one valid DKIM signature).
One-Click Unsubscribe	Required for bulk senders. URL must be DKIM signed.	Required for bulk senders. URL must be DKIM signed.

Going beyond the requirements: why full alignment matters

While DKIM alignment is indeed a component of DMARC and thus required for DMARC pass, it's worth noting that if your SPF aligns, your DMARC check can still pass even if your DKIM doesn't. However, having both SPF and DKIM align strongly with your From: domain is generally considered a stronger best practice for maximizing deliverability. It creates a more cohesive and trustworthy sending identity.

Beyond the explicit requirements, aligning all your sending domains and authentication mechanisms helps to build a robust sender reputation. Mailbox providers, including

Google and

Yahoo, assess numerous signals to determine inbox placement. Strong, consistent authentication, including full alignment where possible, positively impacts how your emails are perceived. This is especially true for those sending from shared domains or via third-party services.

Therefore, while the technical minimum might allow for DMARC to pass with only one aligned protocol, aiming for both SPF and DKIM alignment (where the From: header domain aligns with the DKIM d= tag and the SPF Return-Path domain) contributes to a more robust and resilient email program.

Required for DMARC compliance

DKIM Signature: All messages must have a valid DKIM signature.
DMARC Alignment: The domain in the From: header must align with either the SPF domain or the DKIM domain.

Recommended for optimal deliverability

Full Alignment: Aligning both SPF and DKIM with the From: header domain for enhanced trust.
Dedicated Domains: Using your own dedicated domains for sending and tracking can further improve reputation and avoid issues with shared IP or domain reputation.

Practical steps for compliance and deliverability

Ensuring compliance and maximizing deliverability requires a few practical steps. Firstly, verify that you have robust SPF, DKIM, and DMARC records published for your sending domain. This is the foundation.

Next, implement DMARC with at least a p=none policy and configure DMARC reporting to gain visibility into your email authentication results. This allows you to identify any authentication failures and take corrective action. You can use a DMARC record generator to get started easily.

If you're using a third-party Email Service Provider (ESP), ensure they support proper DKIM and SPF configuration for your custom domain, and that they facilitate DMARC alignment. Many ESPs handle this seamlessly, but it's crucial to confirm. For example, some ESPs use shared authentication domains, which can complicate direct alignment with your From: domain.

Finally, monitor your DMARC reports regularly. They provide invaluable data on your email's authentication status and can help you quickly identify and resolve any issues. Tools for DMARC monitoring can automate this process and provide actionable insights. This proactive approach ensures your emails continue to comply with evolving sender guidelines and maintain optimal inbox placement, avoiding common pitfalls like being placed on a blacklist (or blocklist).

Example DMARC record

A minimal DMARC record to start with, setting the policy to 'none' and directing reports to your email address.

DNS TXT record for DMARCDNS

v=DMARC1; p=none; rua=mailto:dmarcreports@yourdomain.com;

Views from the trenches

Best practices

Always use a consistent 'From' address domain that matches your authenticated SPF or DKIM domain.

Implement a DMARC policy (even if it's 'p=none' initially) to gain visibility into your email ecosystem.

Monitor your DMARC reports regularly to catch authentication issues early and ensure compliance.

Ensure your 'List-Unsubscribe' header is present and correctly signed with DKIM, as required by major mailbox providers.

Common pitfalls

Forgetting to update DNS records for SPF or DKIM when changing ESPs or sending infrastructure.

Not having a DMARC record at all, leaving your domain vulnerable to spoofing and impacting deliverability.

Assuming shared IP or domain authentication from an ESP is sufficient without custom domain alignment.

Ignoring DMARC aggregate and forensic reports, missing critical insights into email authentication failures.

Expert tips

Consider achieving alignment for both SPF and DKIM if possible, even if only one is strictly required for DMARC pass.

Gradually enforce your DMARC policy from 'p=none' to 'p=quarantine' or 'p=reject' after thorough monitoring.

Utilize Google Postmaster Tools and other monitoring services to track your domain's reputation.

For high-volume sending, consider dedicated IP addresses to have more control over your sending reputation.

Expert view

Expert from Email Geeks says that full alignment isn't strictly required, but it's beneficial. The List-Unsubscribe header must be DKIM signed but does not need to align with the DKIM domain.

2024-01-08 - Email Geeks

Expert view

Expert from Email Geeks says that the broader industry consensus does not suggest full alignment requirements, except for very niche scenarios.

2024-01-08 - Email Geeks

Navigating the new email landscape with confidence

To summarize, DKIM domain alignment is indeed required for Google and Yahoo's new email sending requirements, but specifically as a component of DMARC alignment. This means that your From: header domain must align with either your SPF or your DKIM authenticating domain for DMARC to pass. Beyond this, having a valid DKIM signature on all messages is a baseline requirement.

While you might pass DMARC with only SPF alignment, striving for both SPF and DKIM alignment offers a stronger, more resilient email delivery strategy. Staying compliant with these evolving standards is not just about avoiding the spam folder or a blocklist (or blacklist), it's about building trust and ensuring your messages consistently reach your audience.